If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Securing Windows 2000 and IIS

I was reading this adn found it quite usefull so i decided to share it with the AO community.
<www.astalavista.com>

Securing Windows 2000 and IIS ( New Vulnerabilities )
In this tutorial Iím going to explain new vulnerabilities that have been discovered and how to secure our system against these vuls.

Microsoft Windows 2000 WebDAV / ntdll.dll Buffer Overflow Vulnerability
Microsoft has released Security Bulletin MS03-007, which outlines a previously unreported vulnerability present in the Microsoft Windows 2000 operating system and is exploitable through the IIS WebDAV component. The vulnerability is a buffer overflow condition, which is known to be exploitable through Microsoft IIS, but does not require Microsoft IIS to be enabled in order to be exploitable.

IIS, if installed, implements World Wide Web Distributed Authoring and Versioning (WebDAV) in the Microsoft Windows 2000 operating system. IIS is installed by default on the Windows 2000 Server and Advanced Server, but is not installed by default on Windows 2000 Professional.

The WebDAV provides a standard for Web-based editing and file management. A buffer overflow vulnerability is present in a Microsoft Windows 2000 core component used by WebDAV. WebDAV does not perform sufficient bounds checking on data passed to a particular system component.

When unusually long data is supplied to the WebDAV component, it is, in turn, passed to the vulnerable ntdll.dll system component. The ntdll.dll fails to perform sufficient bounds checking on this data, allowing a buffer to be overrun. This could result in the execution of arbitrary code in the context of the IIS service, which is Local System, by default.
When IIS , has exploited via this vulnerability , It crashes for a moment .
So , how to protect yourself from this vulnerability ?
Letís say the easiest way , thatís we can disable it by handle into windows registry :
1 . Go Start/Run , then type ď regedit ď
2 . Find HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters
3 . In edit menu , insert following value :
 Data Type: DWORD
 Value Name: DisableWebDAV
 Value Data: 1 ( 0 means WebDAV is enabled )
4 . Then restart Windows
On the other hand , we can patch our servers by Microsoft Hotfixes , but if you use Win2000 SP2 , Please follow these steps before patching it :
1 . Go to /System32 Folder
2 . Right click on ntoskrnl.exe and then select Properties and see the version of this file at ď Version ď tab
5.0.2195.4797 and 5.0z.2195 versions are not compatible with these service packs , if uncompatible patches installed on your system , causes crashing WIN2K on first boot and shows 0x00000071 Error message , the you have to repair it by Win2000 Repair console

The first vulnerability may allow an attacker to obtain elevated privileges. This vulnerability can be exploited by an attacker to load and execute applications on the vulnerable server with SYSTEM level privileges. This vulnerability can exploited when IIS is configured to run applications out of process.

The second vulnerability may allow a remote attacker to cause a denial of service condition. This vulnerability is related to how IIS allocates memory for WebDAV requests. Any specially crafted WebDAV requests may result in IIS allocating an extremely large amount of memory on the server. Several malformed requests sent to the server will result in the vulnerable system failing to respond to further legitimate requests for service. This vulnerability affects IIS 5.0 and 5.1 only.

The third vulnerability may allow a remote attacker to upload a file onto the vulnerable server and possibly execute it. The vulnerability is a result of inappropriate listing of file types that are subject to the script source access permission in IIS 5.0. As a result an attacker may be able to upload malicious files to a vulnerable server and possibly execute it. This vulnerability only affects IIS 5.0.

The final vulnerability is a cross site scripting vulnerability. The vulnerability is a result of improper sanitization of user-supplied input by IIS. Several web pages, provided by IIS for administrative purposes do not adequately sanitize user-supplied input. Any malicious HTML code that may be included in the URI will be executed.

Microsoft Windows Locator Service Buffer Overflow Vulnerability
Description
It has been reported that the Microsoft Windows Locator service is affected by a remotely exploitable buffer overflow vulnerability. The condition is due to a memory copy of RPC arguments received from remote clients into a local buffer.

This vulnerability may be exploited by remote attackers to execute custom instructions on the target server. It is also possible to crash the service with a malicious request. It should be noted that, to exploit this vulnerability, no authentication is required. Additionally, the Locator service is enabled by default on all Windows 2000 and Windows NT Domain Controllers (DC).

So we can Configure firewalls to ignore, or block, unsolicted traffic to the Windows NetBIOS service on ports 138 and 139.

Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability
A buffer overrun vulnerability has been discovered in Microsoft Windows that can be exploited remotely via a DCOM RPC interface that listens on TCP/UDP port 135. The issue is due to insufficient bounds checking of client DCOM object activation requests. Exploitation of this issue could result in execution of malicious instructions with Local System privileges on an affected system.

This issue may be exposed on other ports that the RPC Endpoint Mapper listens on, such as TCP ports 139, 135, 445 and 593. This has not been confirmed. Under some configurations the Endpoint Mapper may receive traffic via port 80.
And you know W32/Blaster has uses the DCOM Vulnerability for gaining access to systems .
So , we can protect our self by using Firewall to block 135 Port , or using Hotfixes .
Patches :
Microsoft Windows 2000 Advanced Server SP4:
Microsoft Patch Windows2000-KB823980-x86-ENU.exe http://microsoft.com/downloads/detai...displaylang=en

The first of these issues is a buffer overflow in SQL Server user authentication. It is possible to corrupt memory with a malformed login request. This may enable an attacker to execute arbitrary code with the privileges of the SQL Server process. Malformed login requests may also cause a denial of service. It is possible to trigger this condition prior to authenticating with the server. This issue affects Microsoft SQL Server 2000 and Microsoft Desktop Engine (MSDE) 2000.

The second issue is a buffer overflow in one of the Database Console Commands (DBCCs) that ship with the vulnerable products. This issue may be exploited to execute arbitrary code with the privileges of the SQL Server process. Authentication is required to exploit this vulnerability. The issue affects Microsoft SQL Server 7.0/2000 and Microsoft Data Engine (MSDE) 1.0/2000.

The third issue is related to how the affected products handle scheduled jobs. The SQL Server Agent may be instructed to create an output file during a job step. The output file will be created with the privileges of the SQL Server Agent, instead of the privileges of the user who scheduled the job. As a result, a malicious authenticated user could schedule a job step which creates a malicious output file in an attacker-specified directory. This may potentially be exploited to allow for execution of operating system commands with elevated privileges. An attacker will also be able to cause sensitive files to be corrupted. This issue affects Microsoft SQL Server 7.0/2000 and Microsoft Data Engine (MSDE) 1.0/2000.

Microsoft Data Access Components ODBC Buffer Overflow Vulnerability
A buffer overflow vulnerability exists in Microsoft Data Access Components that may allow an attacker to run arbitrary code on a client machine. This vulnerability is exposed when a client or a SQL Server implementing the SQL-DMO library, sends a broadcast request for Microsoft SQL Servers on a network. In response an attacker could send malicious data to the querying system, causing a buffer overflow.

This vulnerability could allow an attacker to gain access to confidential data and compromise the system.

Microsoft Windows Media Services NSIISlog.DLL Remote Buffer Overflow Vulnerability
Microsoft Windows Media Services is a feature of Microsoft Windows 2000 Server, Advanced Server, and Datacenter Server and is also available in a downloadable version for Windows NT 4.0 Server. Windows Media Services contains support for a method of delivering media content to clients across a network known as multicast streaming. In multicast streaming, the server has no connection to or knowledge of the clients that may be receiving the stream of media content coming from the server. To facilitate logging of client information for the server, Windows 2000 includes a capability specifically designed to enable logging for multicast transmissions.
This logging capability is implemented as an Internet Services Application Programming Interface (ISAPI) extension - nsiislog.dll. When Windows Media Services are added through add/remove programs to Windows 2000, nsiislog.dll is installed in the Internet Information Services (IIS) Scripts directory on the server. Once Windows Media Services is installed, nsiislog.dll is automatically loaded and used by IIS.
There is a flaw in the way nsiislog.dll processes incoming client requests. A vulnerability exists because an attacker could send specially formed HTTP request (communications) to the server that could cause IIS to fail or execute code on the user's system.
Windows Media Services is not installed by default on Windows 2000. An attacker attempting to exploit this vulnerability would have to be aware which computers on the network had Windows Media Services installed on it and send a specific request to that server So , how to find out if our server is vulnerable ? Try to check by this : Http://www.yourdomain.com/scripts/NSIISlog.DLL
If it answers ď the page not found ď, itís not vulnerable